CVE-2017-0903

Sažetak

RubyGems versions between 2.0.0 and 2.6.13 are vulnerable to a possible remote code execution vulnerability. YAML deserialization of gem specifications can bypass class white lists. Specially crafted serialized objects can possibly be used to escalate to remote code execution.

Reference

http://blog.rubygems.org/2017/10/09/2.6.14-released.html
http://blog.rubygems.org/2017/10/09/unsafe-object-deserialization-vulnerability.html
http://www.securityfocus.com/bid/101275
https://access.redhat.com/errata/RHSA-2017:3485
https://access.redhat.com/errata/RHSA-2018:0378
https://access.redhat.com/errata/RHSA-2018:0583
https://access.redhat.com/errata/RHSA-2018:0585
https://github.com/rubygems/rubygems/commit/510b1638ac9bba3ceb7a5d73135dafff9e5bab49
https://hackerone.com/reports/274990
https://lists.debian.org/debian-lts-announce/2018/07/msg00012.html
https://usn.ubuntu.com/3553-1/
https://usn.ubuntu.com/3685-1/
https://www.debian.org/security/2017/dsa-4031

CVSS

Base:	7.5
Impact:	6.4
Exploitability:	10.0

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
PARTIAL	PARTIAL	PARTIAL

CVSS vektor

AV:N/AC:L/Au:N/C:P/I:P/A:P

Zadnje važnije ažuriranje

09-10-2019 - 23:21

Objavljeno

11-10-2017 - 18:29